New Version of DarkHotel Malware Spotted Going After Political Figures

Share this…

The DarkHotel hacking group, a threat actor known to engage in advanced cyber-espionage tactics, has shifted operations from targeting CEOs and businessmen to political figures.

DarkHotel has its own place in infosec lore due to its unique tactics of infecting victims. The group’s name comes from its main technique of hacking and taking over the WiFi networks in popular hotels across southeast Asia.

The group waits for an employee from a large company to check into the hotel and then delivers fake software updates for applications such as Flash. If the employee falls for their tricks, the DarkHotel group steals data from his work laptop and use it to compromise his company.

DarkHotel made a comeback in 2016

The group used these tactics from 2011, through 2014 — when first exposed — and were also seen launching attacks on hotel WiFi networks in 2015.

In 2016, the group has been relatively quiet. On Thursday, Bitdefender released a new report on DarkHotel’s activity in 2016.

According to the Romanian-based security software vendor, the DarkHotel group has switched to spear-phishing campaigns, abandoning its WiFi hacks, at least for last year.

DarkHotel switches to mundane spear-phishing campaigns

In a 12-page report, Bitdefender analysts detail DarkHotel’s new tactics, a series of carefully planned spear-phishing emails that deliver a RAR SFX (self-extracting archive) named winword.exe.

Once executed, the winword.exe file would install the backdoor and show a decoy document. The decoy document provides a list of email contacts for various organizations in North Korea’s capital city.

This file delivers a never-before-seen malware that Bitdefender named Inexsmar. Researchers say they spotted the malware in spear-phishing attacks with a political theme.

“The messaging is crafted in such a way that political figures would be interested, and not necessarily CEOs,” Liviu Arsene, Senior eThreat Analyst for Bitdefender, told Bleeping Computer in an email on Thursday.

Inexsmar malware linked to 6-year-old DarkHotel samples

These tactics are a departure from the group’s previous targeting scheme and modus operandi. Despite a left turn from previous tactics, Bitdefender says that Inexsmar contains various similarities to past DarkHotel malware, enough to make researchers believe it was created by the same developers.

The role of Inexsmar is to collect data from infected hosts and send it to a remote command-and-control (C&C) servers.

If the infected host is deemed valuable, the C&C operators deliver another malware family, used in past DarkHotel attacks. Furthermore, the C&C servers were also known to be associated with past DarkHotel campaigns.

Bitdefender says it detected these spear-phishing emails in September 2016. It is unclear if the group, which Kaspersky and others believe to be made up of Korean-speaking hackers, has dropped its act of hacking WiFi networks at luxury hotels and are now migrating to classic APT techniques. Time will tell, but DarkHotel coming back to life is a bad sign for both business executives and political figures.